Forum Discussion
Okay, so some additional thoughts.
-
In your APM Kerberos SSO, ensure that the Send Authorization setting is set to "Always" for Microsoft services. For anything else it depends on the version of Kerberos they use (MITv5 or SPNEGO).
-
Make sure time is good between APM and the KDC and target server.
-
Set a static SPN in the APM SSO and disable all but one pool member at a time to make sure it's just not one of the servers having an issue.
-
Expand your Wireshark inspection to include DNS traffic between APM and the DC.
kerberos or dns or http
-
The KRB_ERR_GENERIC message can happen if,
- If UDP is fragmented and/or TCP is selected and the PAC data is overloading the ticket. This usually happens if the user is a member of many groups.
- The SPN is too long or has too many parts. Try using your SPN to something simpler, like "HOST/krbsso.internal.com"
-
If you're using a domain user account as the IIS application pool owner, you need to disable Windows Integrated Authentication kernel mode.
-
To clear the Kerberos SSO cache between tests:
bigstart restart websso
-
To add debug logging (remember to turn this off when you're done):
tmsh modify sys db log.sso.level value debug
-
For even more debug logging:
export KRB5_TRACE=/tmp/krb5trace tail -f /tmp/krb5trace